Tuesday, September 29, 2015

VawTrak Trojan

Today I was diagnosing why a clients Internet was running so slow. After tracing the traffic I found it was one Windows 7 PC which was infected with a virus. The following processes were running on the machine all communicating with various Internet IP addresses.

conhost.exe

cmd.exe

ctfmon.exe

dllhost.exe

msiexec.exe

notepad.exe

presentationhost.exe

Note: Use Windows Resource Monitor and navigate to the Network tab to find out which processes are communicating with Internet resources.

When killing one of these processes, they would simply respawn. The computer was also running very slow and sluggish with web browsers and windows explorer constantly hanging and freezing.

These symptoms are related to Trojan.VawTrak which the computer was infected with. Trojan.VawTrak copies it self into C:\ProgramData and spawns these processes with its malicious code.

Trojan.VawTrak can be cleaned up with Malware Bytes or manually.

Trojan.VawTrak is a virus you definitely want to get rid of as it is designed to steal online banking information. Some of the common tasks it performs are:

Opens a VNC11 (Virtual Network Computing) channel for a remote control of the infected machine.

Creates a SOCKS12 proxy server for communication through the victim's computer.

Changes or deletes browser settings (e.g. disable Firefox SPDY13) and history. Vawtrak supports three major browsers to operate in – Internet Explorer, Firefox, and Chrome. It also supports password stealing from the other browsers.

Modifies browser communication with a web server.

Stores internal settings into encrypted registry keys.

Due to the severity of this Trojan and the rate it is spreading, AVG has done a detailed writeup which is available here:

3 comments:

I am Hwa Jurong, a Private Money Lender do you need a loan to start up business or to pay your bills and a corporate financial for real estate and any kinds of business financing. I also offer Loans to individuals,Firms and corporate bodies at 2% interest rate. I give out loan to serious minded people that are interested of loan if interested contact this email: hwajurong382@yahoo.com or hwajurong12@gmail.com